search

aquasecurity / kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Apache License 2.0
7.08k stars 1.23k forks source link

CIS 1.9 Kubernetes Check 1.1.14 returns failure for /tmp check #1667

Closed Shashankft9 closed 1 month ago

Shashankft9 commented 3 months ago

Overview

{
              "AuditConfig": "",
              "AuditEnv": "",
              "IsMultiple": true,
              "actual_value": "",
              "audit": "for adminconf in /tmp/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c \"ownership=%U:%G %n\" $adminconf; fi; done\n",
              "expected_result": "'ownership' is present",
              "remediation": "Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/admin.conf\nOn Kubernetes 1.29+ the super-admin.conf file should also be modified, if present.\nFor example, chmod 600 /etc/kubernetes/super-admin.conf\n",
              "scored": true,
              "status": "FAIL",
              "test_desc": "Ensure that the default administrative credential file ownership is set to root:root (Automated)",
              "test_info": [
                "Run the below command (based on the file location on your system) on the control plane node.\nFor example, chown root:root /etc/kubernetes/admin.conf\nOn Kubernetes 1.29+ the super-admin.conf file should also be modified, if present.\nFor example, chmod 600 /etc/kubernetes/super-admin.conf\n"
              ],
              "test_number": "1.1.14",
              "type": ""
            }

here the actual_value is being reported as empty string, because there is no admin.conf file in /tmp folder.

How did you run kube-bench?

I'm running kube-bench inside a pod using the job.yaml

What happened?

root@iksu27-3007-1-l7rfk:~# for adminconf in /tmp/{admin.conf,super-admin.conf}; do if test -e $adminconf; then stat -c "ownership=%U:%G %n" $adminconf; fi; done
root@iksu27-3007-1-l7rfk:~#

I suspect this error is coming because there is no admin.conf file in /tmp folder There is a difference in this particular test between CIS 1.9 here and CIS 1.8 here Is there any particular reason why this test was moved to /tmp folder in CIS 1.9?

What did you expect to happen:

I expected this test to pass since the file /etc/kubernetes/admin.conf already has the desired permissions.

Environment

kube-bench version: v1.8.0 kubectl version: v1.27.15

andypitcher commented 3 months ago

@Shashankft9 thanks for reporting this issue. There's already an issue and a fix related, see #1668 .

emosbaugh commented 1 month ago

Looks like this is resolved by https://github.com/aquasecurity/kube-bench/pull/1649

afdesk commented 1 month ago

@emosbaugh thanks! in favor #1649